U.S. Department of the Interior 
PRIVACY IMPACT ASSESSMENT 





Introduction 


The Department of the Interior requires PIAs to be conducted and maintained on all IT systems whether 
already in existence, in development or undergoing modification in order to adequately evaluate privacy 
risks, ensure the protection of privacy information, and consider privacy implications throughout the 
information system development life cycle. This PIA form may not be modified and must be completed 
electronically; hand-written submissions will not be accepted. See the DOI PIA Guide for additional 
guidance on conducting a PIA or meeting the requirements of the E-Government Act of 2002. See 
Section 6.0 of the DOI PIA Guide for specific guidance on answering the questions in this form. 


NOTE: See Section 7.0 of the DOI PIA Guide for guidance on using the DOI Adapted PIA template to 
assess third-party websites or applications. 


Name of Project: | Everbridge Emergency Notification System (ENS) 
Bureau/Office: Office of the Secretary/Office of Emergency Management 
Date: May 7, 2020 

Point of Contact: 

Name: Danna Mingo 

Title: OS Associate Privacy Officer 

Email: OS_privacy@ios.doi.gov 

Phone: (202) 208-3368 

Address: 1849 C Street, NW, Room 7112, Washington, D.C. 20240 


Section 1. General System Information 


A. Is a full PIA required? 
Yes, information is collected from or maintained on 
O Members of the general public 
XX] Federal personnel and/or Federal contractors 
XX Volunteers 
O All 














O No: Information is NOT collected, maintained, or used that is identifiable to the individual in 
this system. Only sections 1 and 5 of this form are required to be completed. 


B. What is the purpose of the system? 


Everbridge Emergency Notification System (ENS) is an emergency notification and employee 
accountability cloud-based application that provides organizations with the ability to quickly 
send critical information to recipients. It is the ENS replacing Send Word Now ENS, the 
Department has been using. Everbridge ENS collects, modifies, updates, and safeguards contact 
information for emergency situations, including natural, environmental, or austere weather 
conditions affecting the Department of the Interior (DOI) mission or function, emergency 
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contacts, and agency continuity of operations. In emergency situations where active involvement 
of the vendor is necessary due to the loss of DOI primary and normal means of communication, 
Everbridge ENS may be used to facilitate and transfer communications between agency leaders 
in support of continuity of operations and provide alerts and other response needs as determined 
by DOL. 


Everbridge ENS is centrally managed by the DOI Office of Emergency Management (OEM) and 
may be used by DOI bureaus and offices, including National Park Service, Bureau of Land 
Management, U.S. Fish and Wildlife Service, Bureau of Indian Affairs, Bureau of Reclamation, 
Bureau of Ocean Energy Management, Bureau of Safety and Environmental Enforcement, 
Office of Natural Resources Revenue, U.S. Geological Survey, Bureau of Indian Education, 
Office of Surface Mining, and the Office of the Secretary. Everbridge ENS may be used in 
abnormal operations as defined by the Office of Personnel Management and is further restricted 
to use during contingency communication conditions as determined by Bureau/Office 
Emergency Management (EM) Coordinators. Examples of Everbridge ENS uses may include 
notifications of response level or alert declaration, continuity events or activities, building or 
facility closure or access issues, weather events (Severe storms, flooding, etc.), security 
alerts/threats/incidents, exercise messaging, and communications drills. 


Everbridge ENS is a Software as a Service (SaaS) cloud service provider located in the United 
States. Everbridge ENS is FedRAMP authorized. 


. What is the legal authority? 

5 U.S.C. 301; 44 U.S.C. 3101; 6 U.S.C. 101 et seq., Homeland Security Act of 2002; 50 U.S.C. 
App. 2062, The Defense Production Act of 1950, as amended; 31 U.S.C. §§ 1535-1536, 
Economy Act; 50 U.S.C. §§ 1601-1651; 42 U.S.C. 247d and 300hh, The Public Health Security 
and Bio-terrorism Preparedness and Response Act of 2002; Pub. L. 106-390, Robert T. Stafford 
Disaster Relief and Emergency Assistance Act; Executive Order 12656, Assignment of National 
Security and Emergency Preparedness Responsibilities; Presidential Decision Directive 67, 
Enduring Constitutional Government and Continuity of Operations; Federal Continuity Directive 
- 1, Federal Executive Branch National Continuity Program and Requirements; Federal Property 
Management Regulation (FPMR) 101-20.103-4, Occupant Emergency Program; Homeland 
Security Presidential Directive 20, National Continuity Policy; 900 Departmental Manual 
Chapters 1-5, Emergency Management Program; and Department of the Interior Continuity of 
Operations Plan. 


. Why is this PIA being completed or modified? 


New Information System 

O New Electronic Collection 

O Existing Information System under Periodic Review 
O Merging of Systems 

O Significantly Modified Information System 
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C Conversion from Paper to Electronic Records 
O Retiring or Decommissioning a System 
O Other: Describe 


E. Is this information system registered in CSAM? 


Yes: CSAM ID: 2564 UII Code: 010-000001989 SSP Name: Everbridge Emergency 
Notification System (ENS) 


O No 


F. List all minor applications or subsystems that are hosted on this system and covered under 
this privacy impact assessment. 








Subsystem Name Purpose Contains PII Describe 
(Yes/No) If Yes, provide a 
description. 
None 




















G. Does this information system or electronic collection require a published Privacy Act 
System of Records Notice (SORN)? 


Yes: DOI-58, Employee Administrative Records, April 20, 1999 (64 FR 19384), 
modification published February 13, 2008 (73 FR 8342); and DOI-85, Payroll, Attendance, 
Retirement, and Leave Records, July 19, 2018 (83 FR 34156). Some information in this system 
may be covered under OPM/GOVT-1, General Personnel Records, December 11, 2012 (77 FR 
73694); modification published November 30, 2015 (80 FR 74815). 

O No 


H. Does this information system or electronic collection require an OMB Control Number? 


O Yes: Describe 
No 


Section 2. Summary of System Data 


A. What PII will be collected? Indicate all that apply. 








Name O Religious Preference O Social Security Number (SSN) 

O Citizenship CL Security Clearance XX Personal Cell Telephone Number 
CL] Gender Spouse Information O Tribal or Other ID Number 

O Birth Date CJ Financial Information XX Personal Email Address 
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CL] Group Affiliation CL) Medical Information O Mother’s Maiden Name 

CL) Marital Status O Disability Information Home Telephone Number 

O Biometrics CL] Credit Card Number CL) Child or Dependent Information 
L Other Names Used O Law Enforcement O Employment Information 

O Truncated SSN O Education Information O Military Status/Service 

O Legal Status O Emergency Contact Mailing/Home Address 

Q Place of Birth O Driver’s License O Race/Ethnicity 


Other: Everbridge ENS may also contain employee job title, work email address, office 
phone number, work cell phone number, organization code, group name and membership for 
roles in emergency management groups, and username. Information may also include spouse 
contact information such as phone numbers, email. 


. What is the source for the PII collected? Indicate all that apply. 


Individual 

L] Federal agency 

O Tribal agency 

O Local agency 

DOI records 

CL] Third party source 

O State agency 

Other: Information may be extracted from DOI employee records with Emergency Response 
Official (ERO) designations within the Federal Personnel Payroll System (FPPS) or Employee 
Express. Bureau/Office responsible officials vet the extracted data and identify any records that 
should not be uploaded. Data may also be manually added to the system or updated by 
authorized managers or by the employee through a self-update portal that leverages official 
email addresses in Active Directory (AD) to review their contact record and make the necessary 
updates. This request may be initiated by Bureau/Office designated administrator. 


. How will the information be collected? Indicate all that apply. 


Ll Paper Format 

XX Email 

x] Face-to-Face Contact 
XX] Web site 

O Fax 

XX] Telephone Interview 

XX] Information Shared Between Systems: Information may be collected from DOI employee 
records within the Federal Personnel Payroll System (FPPS) or Employee Express. 

O Other: Describe 
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. What is the intended use of the PII collected? 


The PII collected in the contact records is necessary for the DOI COOP, EM, Employee 
Accountability, and Occupant Emergency Programs to have multiple methods of contacting 
EROs and Crisis Management Teams during an emergency to ensure emergency contacts and 
operations sustain a continuity of operations. This information will be used for emergency alerts 
and notifications to DOI employees who are on or off duty regarding incidents, emergencies, 
office closures, tests, and/or exercises. 


. With whom will the PII be shared, both within DOI and outside DOI? Indicate all that 
apply. 


Within the Bureau/Office: Contact information is provided to the OS COOP Team members 
or EM Coordinators to verify members on the contact lists. 


Other Bureaus/Offices: Contact information is provided to the Bureau/Office COOP Team 
members or EM Coordinators to verify members on the contact lists. Employee lists may be 
shared with authorized personnel for the purposes of employee accountability, recall, and other 
contingency operations. 


L Other Federal Agencies 
C Tribal, State or Local Agencies 


Contractor: OCIO contract support staff have access to the records in order to determine 
causes related issues with data uploads or communications. The staff analyzes the message 
history and logs to determine where a failure may have occurred, such as an incorrect phone 
number or email address. DOI/OCIO contractors also have access to records in order to provide 
the support to resolve issues between AD, FPPS, Employee Express. 


O Other Third-Party Sources 


. Do individuals have the opportunity to decline to provide information or to consent to the 
specific uses of their PII? 


Yes: Describe the method by which individuals can decline to provide information or how 
individuals consent to specific uses. 
Individuals may verbally or in writing decline to provide the contact information. During a 
routine self-update, individuals have the option to provide all, some, or none of the non-work 
contact information. As a member of the DOI emergency management community, each 
contact must ensure their information is current to perform their role as an ERO. A Privacy 
Act Statement will be placed in the self-update portal/email request. 
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O No: State the reason why individuals cannot object or why individuals cannot give or 
withhold their consent. 


. What information is provided to an individual when asked to provide PII data? Indicate 
all that apply. 


Privacy Act Statement: A Privacy Act Statement will be included in the self-update 
portal/email request. In some cases, a privacy notice may be added to phone trees or emergency 
contact lists used in parallel with Everbridge and as an alternate if Everbridge ENS is 
unavailable. Individuals are also provided notice through the publication of this privacy impact 
assessment and related assessments, and applicable DOI system of records notices, DOI-58 and 
DOI-85. 


O Privacy Notice 
O Other 


O None 


. How will the data be retrieved? List the identifiers that will be used to retrieve information 
(e.g., name, case number, etc.). 

Data is retrieved manually by an administrator or other privileged user or message sender. 
Contact record information is retrieved by last name, group name or membership. Group 
membership is identified in group membership reports generated manually or programmed. 


Will reports be produced on individuals? 


Yes: What will be the use of these reports? Who will have access to them? 

DOI Watch Officers, Warning Specialists, dispatchers, and authorized COOP/EM staff can 
produce reports. The reports contain names and contact information of the DOI EM community. 
Reports from Everbridge ENS regarding contact responses to alerts, message history, receipt of 
emergency notifications, and participation status are used for employee accountability. Reports 
may be generated to determine the effectiveness of emergency response, exercises, or 
contingency which will be shared with authorized personnel at bureaus/offices in order to 
provide feedback and corrective actions. 


O No 
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Section 3. Attributes of System Data 


A. 


How will data collected from sources other than DOI records be verified for accuracy? 
Bureau/Office authorized managers vet the extracted data and identify any records that should 
not be uploaded. Updates to the records can be manually entered by the authorized managers or 
by the employee through the portal or email request to review their contact record and make the 
necessary updates. This request is initiated by Bureau/Office authorized managers with access to 
the ENS. Contact records from AD will be uploaded on a regular schedule to ensure new 
employees are added to the ENS and departed (retired, left DOI, etc.) are removed from the 
system via the Web Services API. An email update request is sent to employees with instructions 
on how to update contact records to ensure accuracy of emergency management contact 
information. 


How will data be checked for completeness? 

The contact information is checked for completeness during the Everbridge ENS alert 
notification for events such as fire drills, shelter-in-place, building evacuations, National Level 
Exercises, and office closures. If the message history for the alert for each contact indicates the 
message was not received, the contact information such as email address, phone numbers, and 
text message will be manually checked to confirm the information is correct or needs to be 
updated. 


. What procedures are taken to ensure the data is current? Identify the process or name the 


document (e.g., data models). 

Individuals are sent the self-update email requests regularly. Account administrators, data 
owners, units, groups, or office managers using the account are responsible for keeping the data 
in their accounts current. To accomplish this task, the system supports a number of data 
maintenance methods which include direct entry, a flat file (csv, xls, xlsx) import process, a 
batch extensible markup language file of contact data that is transmitted via an automatable 
secure file transfer, and a Web Services API using a simple object access control connection. All 
data maintenance methods used require administrative authentication. 


. What are the retention periods for data in the system? Identify the associated records 


retention schedule for the records in this system. 

Contact records are maintained under the DOI Departmental Records Schedule 1 - DAA-0048- 
2013-0001-0003, Administration Records of Specific Temporary Value, which was approved by 
the National Archives and Records Administration (NARA). The disposition is temporary. 
Records are cut off when the object or subject of the record is removed or discontinued, and 
records are destroyed when no longer needed. 


What are the procedures for disposition of the data at the end of the retention period? 
Where are the procedures documented? 

Everbridge uses software for data deletion or destruction that complies with the U.S. Department 
of Defense 5220.22-m standards. Approved disposition methods include shredding or pulping for 
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paper records, and degaussing or erasing for electronic records, in accordance with NARA 
Guidelines and 384 Departmental Manual 1. Disposition procedures are outlined in the 
Everbridge Information Security Policy. 


. Briefly describe privacy risks and how information handling practices at each stage of the 
“information lifecycle” (i.e., collection, use, retention, processing, disclosure and 
destruction) affect individual privacy. 

There are risks to the privacy of individuals due to the PII contained in the system related to 
individual’s work phone number, home phone number, work and personal cell phone numbers, 
and work or personal email addresses. These risks are mitigated by a combination of 
administrative, physical and technical controls. The contact information is used to communicate 
with COOP, emergency management personnel, and individuals with occupant emergency 
responsibilities. These individuals must be reachable by several methods. In addition, group 
email lists need to be current. During COOP training, individuals are informed that their contact 
information must be current in the system. 


Everbridge ENS is a Software as a Service (SaaS) cloud service provider located in the United 
States. Everbridge ENS is FedRAMP Authorized. Everbridge ENS has a Moderate system 
security categorization based upon the type of data and the requirement for security and privacy 
controls to protect the confidentiality, integrity, and availability of the sensitive PII contained in 
the system in accordance with National Institute of Standards and Technology (NIST) 
standards and FIPS 199, and the Federal Information Security Modernization Act (FISMA). A 
system security plan was developed for the Everbridge ENS to ensure appropriate security 
controls were implemented to safeguard DOI information transmitted, processed or stored, 
including access controls, password management, firewalls, segregation of duties, and encryption 
of database, media and communications. This application uses the principle of least privilege 
access for authorized users to perform duties, and government information is managed and 
safeguarded in accordance with FISMA, Office of Management and Budget policies, NIST 
standards, and DOI security and privacy policies. The Everbridge ENS is subject to monitoring 
consistent with applicable security and privacy laws, regulations, OMB policy, and 

DOI policies and procedures. 


Data will be used for emergency alert and notification of DOI employees on incidents, 
emergencies, tests and/or exercises. Bureau/Office authorized managers and bureau/office EM 
Coordinators notify OEM when a member should be deleted. Authorized users will immediately 
delete the individual’s record and from groups. An authorized user may confirm the record has 
been deleted in Everbridge ENS. After the termination of a client contract or service, a legal 
review will be completed on the contract to determine further actions necessary for this data and 
whether the data will be destroyed, retained, or returned. 


The use of DOI information and information technology (IT) systems is conducted in accordance 
with the appropriate DOI use policy. IT systems, in accordance with applicable DOI guidance, 
will maintain an audit trail of activity sufficient to reconstruct security relevant events. The audit 
trail will include the identity of each entity accessing the system; time and date of access; 
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activities performed using a system administrator’s identification; and activities that could 
modify, bypass, or negate the system’s security controls. Audit logs will be reviewed on a 
regular, periodic basis and any suspected attempts of unauthorized access or scanning of the 
system are reported to IT Security. The least amount of access is given to a user to complete their 
required activity. All access is controlled by authentication methods to validate the authorized 
user. DOI employees and contractors are required to complete security and privacy awareness 
training, and DOI personnel authorized to manage, use, or operate the system information are 
required to take additional role-based training and sign DOI Rules of Behavior. 


Section 4. PIA Risk Review 


A. 


Is the use of the data both relevant and necessary to the purpose for which the system is 
being designed? 


Yes: The application is relevant and necessary for collecting, modifying and safeguarding 


contact information for emergency situations affecting the DOI mission or function, 
emergency contacts, and agency continuity of operations. 


O No 


Does this system or electronic collection derive new data or create previously unavailable 
data about an individual through data aggregation? 


O Yes: Explain what risks are introduced by this data aggregation and how these risks will be 
mitigated. 


Xx] No 


. Will the new data be placed in the individual’s record? 


O Yes: Explanation 


Xx] No 


. Can the system make determinations about individuals that would not be possible without 


the new data? 
O Yes: Explanation 
No 


How will the new data be verified for relevance and accuracy? 
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The system does not derive new data or create previously unavailable data about an individual 
through data aggregation. 


. Are the data or the processes being consolidated? 


O Yes, data is being consolidated. Describe the controls that are in place to protect the data 
from unauthorized access or use. 


L] Yes, processes are being consolidated. Describe the controls that are in place to protect the 
data from unauthorized access or use. 


No, data or processes are not being consolidated. 


. Who will have access to data in the system or electronic collection? Indicate all that apply. 





x] Users 
x! Contractors 





O Developers 
XX] System Administrator 
O Other: Describe 











. How is user access to data determined? Will users have access to all data or will access be 
restricted? 

Bureau/Office authorized managers and bureau/office EM Coordinators identify who is 
authorized to access the system. Bureau/Office authorized managers and bureau/office EM 
Coordinators who may initiate alerts for closures, testing, drills, and emergencies. Bureau/Office 
authorized managers and bureau/office EM Coordinators have rights to create users, input or 
initiate updates to contact information and generate roster reports. Bureau/Office EM 
Coordinators are responsible for rebuilding DOI operations at different locations when 
operations have been incapacitated. Bureau/Office authorized managers and bureau/office EM 
Coordinators can assign access rights to view or edit records. 


Are contractors involved with the design and/or development of the system, or will they be 
involved with the maintenance of the system? 


Yes. Were Privacy Act contract clauses included in their contracts and other regulatory 
measures addressed? 
Privacy Act contract clauses were included in the ATT/Everbridge contract. 
e Federal Acquisition Regulation (FAR) 52.224-1, Privacy Act Notification (Apr 1984) 
e FAR 52.224-2, Privacy Act (Apr 1984) 
e FAR 52.239-1 Privacy or Security Safeguards (Aug 1996) 


O No 
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Is the system using technologies in ways that the DOI has not previously employed (e.g., 
monitoring software, SmartCards or Caller ID)? 


O Yes. Explanation 
No 
. Will this system provide the capability to identify, locate and monitor individuals? 


Yes. The system contains a Message History with a Summary, Delivery Status, Recipient 
Status, and Report. The Reports and Audit Trail is a reporting tool with the ability to 
generate reports and view when groups or contacts were created or modified, the username 
of the individual that changed the record, and the date and time the record was updated. 
Information in the history and audit log may include contact person responses, date/time, 
mode of contact such as Short Message Service, cell, or email. The system logs all changes 
to customer accounts for auditing purposes and are only accessed by administrative/manager 
staff to track the date, time and action. The auditing feature does not allow for the application 
to be used or changed without administrative notification. 


O No 

. What kinds of information are collected as a function of the monitoring of individuals? 
Information collected is used to monitor user access (username) and activity (logins, record 
changes, deletions, additions, date and time-stamp) for auditing purposes. 

. What controls will be used to prevent unauthorized monitoring? 

Access to this program is only provided to the necessary authorized employees and is applied on 
the principle of least privilege access to allow authorized employees access to the tracking 
information. Audit features track user activity and the Everbridge ENS administration system 
logs all changes to customer accounts for auditing purposes. 


. How will the PII be secured? 


(1) Physical Controls. Indicate all that apply. 





XX) Security Guards 

O Key Guards 

XX] Locked File Cabinets 

XX Secured Facility 

XX] Closed Circuit Television 
XX] Cipher Locks 
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XX] Identification Badges 
È] Safes 

XX Combination Locks 
XI Locked Offices 

O Other. Describe 

















(2) Technical Controls. Indicate all that apply. 





XX Password 

XI Firewall 

x] Encryption 

XX User Identification 

















O Biometrics 

O Intrusion Detection System (IDS) 

XX] Virtual Private Network (VPN) 

XX] Public Key Infrastructure (PKI) Certificates 
XX] Personal Identity Verification (PIV) Card 
L] Other. Describe 

















(3) Administrative Controls. Indicate all that apply. 





XX] Periodic Security Audits 

XX) Backups Secured Off-site 

XX Rules of Behavior 

XX Role-Based Training 

XX) Regular Monitoring of Users’ Security Practices 

XX) Methods to Ensure Only Authorized Personnel Have Access to PII 
XX Encryption of Backups Containing Sensitive Data 

XX) Mandatory Security, Privacy and Records Management Training 
O Other. Describe 





























O. Who will be responsible for protecting the privacy rights of the public and employees? This 
includes officials responsible for addressing Privacy Act complaints and requests for 
redress or amendment of records. 


The Director, Office of Emergency Management, is the Everbridge ENS Information System 
Owner and the official responsible for oversight and management of the Everbridge ENS 
security controls and the protection of agency information processed and stored in the 
Everbridge ENS. The Information System Owner and Everbridge ENS Privacy Act System 
Manager, in collaboration with the DOI Senior Management Team, are responsible for ensuring 
adequate safeguards are implemented to protect individual privacy in compliance with Federal 
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laws and policies for the data managed, used, and stored in the Everbridge ENS. These officials, 
DOI bureau and office emergency response officials, and authorized Everbridge ENS personnel 
are responsible for protecting individual privacy for the information collected, maintained, and 
used in the system, and for meeting the requirements of the Privacy Act, including providing 
adequate notice, making decisions on Privacy Act requests for notification, access, and 
amendments, as well as processing complaints, in consultation with DOI Bureau and Office 
Privacy Officers. 


. Who is responsible for assuring proper use of the data and for reporting the loss, 
compromise, unauthorized disclosure, or unauthorized access of privacy protected 
information? 


The Everbridge ENS Information System Owner is responsible for oversight and management of 
the Everbridge ENS security and privacy controls, and for ensuring to the greatest possible 
extent that agency data is properly managed and that all access to agency data has been granted 
in a secure and auditable manner. The Information System Owner is also responsible for 
ensuring that any loss, compromise, unauthorized access or disclosure of agency PII is reported 
to DOI-CIRC within 1-hour of discovery in accordance with Federal policy and established 
procedures. Customer communications are managed through an initial point of contact service 
model. Customer Support Managers (CSMs) serve as the initial point of contact for assuring the 
proper use of client data, as well as informing clients of the loss, compromise, unauthorized 
disclosure, or unauthorized access of privacy protected information. The Customer Support 
management team will also be involved in this process as necessary. 
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